The Hacker News — Cyber Security, Hacking, Technology News

Security boffins have discovered a critical vulnerability in a GnuPG cryptographic library that allowed the researchers to completely break RSA-1024 and successfully extract the secret RSA key to decrypt data.

Gnu Privacy Guard (GnuPG or GPG) is popular open source encryption software used by many operating systems from Linux and FreeBSD to Windows and macOS X.

It's the same software used by the former NSA contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement.

The vulnerability, labeled CVE-2017-7526, resides in the Libgcrypt cryptographic library used by GnuPG, which is prone to local FLUSH+RELOAD side-channel attack.

A team of researchers — from Technical University of Eindhoven, the University of Illinois, the University of Pennsylvania, the University of Maryland, and the University of Adelaide — found that the "left-to-right sliding window" method used by the libgcrypt library for carrying out the mathematics of cryptography leaks significantly more information about exponent bits than for right-to-left, allowing full RSA key recovery.

"In this paper, we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion," the researchers wrote in the research paper.

"The pattern of squarings and multiplications in left-to-right sliding windows leaks significantly more information about the exponent than right-to-left. We show how to extend the Heninger-Shacham algorithm for partial key reconstruction to make use of this information and obtain a very efficient full key recovery for RSA-1024."

L3 Cache Side-Channel Attack requires an attacker to run arbitrary software on the hardware where the private RSA key is used.

The attack allows an attacker to extract the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process.

"Thus in practice, there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines, this attack may be used by one VM to steal private keys from another VM," Libgcrypt advisory reads.

Researchers have also provided evidence that the same side channel attack also works against RSA-2048, which require moderately more computation than RSA-1024.

Werner Koch, the man who authored the free email encryption software, is running out of funding to continue the development of his crucial open-source GNU Privacy Guard (GnuPG) encryption tools.The code works on plenty of operating systems from Linux and FreeBSD to Windows and OS X.

The popular Gnu Privacy Guard (GnuPG or GPG) email encryption software is the same used by the former United States National Security Agency (NSA) contractor and whistleblower Edward Snowden to keep his communication secure from law enforcement authorities.

GPG uses the OpenPGP standard to safeguard the communications of millions of people, including journalists, dissidents and security-minded people, around the world from eavesdroppers and other miscreants.

GPG EMAIL ENCRYPTION RELIES ON THIS GUY ONLY

Werner Koch has been maintaining and improving the code of his own secure email software since its initial development in 1997, and since then he has worked at very low wages, but is now looking for a big funding in order to keep his project alive.

GPG provides protection to a number of multibillion-dollar technology industries, and the code works on a lot of operating systems from Linux and FreeBSD to Windows and Mac OS X. Although Koch has had help a number of companies and organisations over the years, he pretty much works alone on the project.

Werner Koch, who lives and operates in Germany, was about to quit the project in 2013 because from past three years the funding for the project has been evaporating. But meanwhile, Snowden revelations once again boosted him up. Snowden himself made a video and encouraged journalists and security lovers to use GPG to secure email communications, which you can watch below:

After the news broke when Propublica published an article about Werner Koch, the financially-struggling developer of the popular privacy software, a handful of companies came forward to help and fund Koch’s project.

"If there is one nightmare that we fear, then it's the fact that Werner Koch is no longer available," said Enigmail developer Nicolai Josuttis. "It's a shame that he is alone and that he has such a bad financial situation."

GNUPG RECEIVED $60,000 FROM LINUX FOUNDATION

Yesterday a tweet from Koch’s twitter account revealed that he had been granted $60,000 by the Linux Foundation, while the official donations portal of Linux had racked up €123,253 at the time of writing, which is over its €120,000 goal.

"For a critical project of this size, two experienced developers are required for proper operation. This requires gross revenues of 120,000 euro per year," the company said on its website. "Unfortunately, there is currently only one underpaid full-time developer, who is barely able to keep up with the work."

MORE FUNDING FROM FACEBOOK & STRIPE

Also on the same day, the popular social network giant Facebook and credit card processor Stripe announced that they will each donate $50,000 per year to fund the development of encryption software GNU Privacy Guard.

"Thank you all," he tweeted early on Friday morning.

OPENSSL ALSO RECEIVED FUNDING FROM TECH COMPANIES

Last year, the operators of the open source cryptographic software library, which secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies, also ran out of budget.

After the existence of Heartbleed, a security flaw in OpenSSL exposed user passwords and the private encryption keys needed to protect websites, the OpenSSL project received funding from a number of organisations and companies, including Linux foundation, HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many others.